Google Says Goodbye to the Password, Hello to the Passkey

Last Thursday may have been World Password Day, but for Google users, it was the first day they could say finally say goodbye to the password, thanks to the rollout of passkeys. 

Google announced the availability of passkeys via their Google Security Blog on May 3rd. The next time a Google account user logs into their account, they will most likely be prompted with the option to setup a passkey.

The rollout of passkeys to Google users is being lauded in the industry as a major step towards a password-less future and, more importantly, a more secure one, given that passkeys are specifically designed to reduce phishing attacks.

Google is one of the higher profile companies to roll out passkeys, but Microsoft and Apple have also established the infrastructure to support passkeys – and adoption of passkeys is on the rise with companies including PayPal, Shopify, CVS Health, Kayak and Hyatt recently introducing the passkey option to account holders.

Google account holders will have the option to continue using their existing passwords, even if they set up a passkey, but the security setting will default to the passkey once it is set up.

What Are Passkeys?

According to Google, passkeys are a more convenient and safer alternative to passwords. Passkeys allow access to apps and websites without the need to enter usernames, passwords or other authentication factors. When a user wants to login into services that use passkeys, the system will ask them to unlock their device with methods usually associated with smartphones such as biometrics (fingerprint, face scan), PIN or pattern.

How Do Passkeys Work?

According to the Google Passkey Blog, passkeys use public key cryptography, which reduces the threat from potential data breaches. When a user creates a passkey with a site or application, this generates a public–private key pair on the user's device. Only the public key is stored by the site, but this alone is useless to an attacker. An attacker can't derive the user's private key from the data stored on the server, which is required to complete the authentication process.

Because passkeys are bound to a website or app's identity, they're safe from phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing into the genuine website or app.

Are Passkeys More Secure Than Passwords?

We all know that passwords are inherently faulty. While organizations are increasingly encouraging longer and more complex passwords or passphrases, one look at the worst passwords of last year shows that end users generally opt for convenience over security when given the choice.

Once a threat actor has usernames and passwords, they have access to all accounts with the same credentials. Phishing attacks specifically target usernames and passwords for this very reason and, in recent years, have used increasingly sophisticated techniques designed to trick users relying on the enhanced password security layer offered by multi-factor authentication.

Unlike passwords, passkeys only exist on your devices within encrypted key storage which means passkeys cannot be written down, stolen or used across multiple accounts, which protects users from the most common risks associated with passwords, such as being reused or exposed in a data breach.

Pervasive utilization of public key infrastructure has been in the making for decades.  The administrative challenges with operating certificate authorities historically have slowed the adoption, however, the passkey approach holds the promise of a simplified and trusted authority based model that can overcome some of these obstacles.  Whether or not having Google push passkeys is the start of a true password-less future, this new security feature comes with immense upside to everybody involved, from both a security and convenience perspective.

Related Resources

• Google Security Blog – So Long Passwords, Thanks for All the Phish
• Google Safety & Security Blog – The Beginning of the End of the Password

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.

To learn more, visit our dedicated Cybersecurity page.